How to restrict docker-proxy to localhost?

General
1
  • ubuntu questing
  • docker-ce 5:29.1.3-1~ubuntu.25.10~questing

It seems that the /etc/docker/daemon.json is completely dismissed:

{
“debug”: true,
“ip”: “127.0.0.1”,
“ipv6”: false
}

Despite this configration, docker-proxy is in fact running on all IPv4 and IPv6 ports:

netstat -tunpevaW | grep docker

tcp6 0 0 :::5000 :::* LISTEN 0 33077938 901252/docker-proxy
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 0 33077937 901245/docker-proxy

systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: enabled)
Active: active (running) since Mon 2025-12-29 14:01:26 CET; 1h 42min ago
Invocation: af5cfcc122ed4174bc01b70369221a90
TriggeredBy: ● docker.socket
Docs: https://docs.docker.com
Main PID: 738186 (dockerd)
Tasks: 29
Memory: 53.2M (peak: 66.8M)
CPU: 2.942s
CGroup: /system.slice/docker.service
├─738186 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
├─901245 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 5000 -container-ip 172.18.0.2 -container-port 5000 -use-listen-fd
└─901252 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 5000 -container-ip 172.18.0.2 -container-port 5000 -use-listen-fd

How to make docker-proxy run only on localhost 127.0.0.1 (and not IPv6)?

2

How do you create the container? The “ip” parameter is only for containers on the default bridge network.

https://docs.docker.com/reference/cli/dockerd/

Quote:

--ip ip     Host IP for port publishing from the default bridge network (default 0.0.0.0)